Secure Cross-VPC Connections Part 1: EC2 to RDS with VPC Lattice Resource Endpoints
In the first part of this three-part series, we explore how Amazon VPC Lattice Resource Endpoints provide a secure solution for connecting EC2 instances directly to RDS databases across different VPCs—without traditional networking solutions like VPC peering and Transit Gateway. Whether you're managing multi-account environments or separating workloads across VPCs, discover how VPC Lattice Resource Endpoints help to simplify your architecture.
Amazon VPC Lattice is a fully managed application networking service that you use to connect, secure, and monitor the services and resources for your application. Amazon VPC Lattice enables service-to-service connectivity, eliminating the need to connect VPCs using VPC peering or Transit Gateway.
There are several ways to utilize Amazon VPC Lattice to connect to RDS instances. The patterns are tabled below and this blog explores the Resource Endpoint pattern.
Pattern
Features
Note
Resource Endpoint
Option of a 1:1 mapping between the resource endpoint and the resource configuration, allowing a security groups per resource endpoint
IPs from the VPC IP space are used to enable connectivity
Lattice Service Network VPC Endpoint
Uses a single endpoint in the VPC to connect to your Lattice services
IPs from the VPC IP space are used to enable connectivity
Lattice Service Network VPC Association
With Service network association, connectivity is enabled using non-routable public IPs.
No IPs are consumed within the VPC. Connectivity to the services uses the Lattice provided DNS Name. Original DNS Names cannot be used (e.g. RDS DNS Name)
If you're keen to find out more, this AWS re:Invent 2024 video provides great explanations for the patterns listed above.
Architecture
In this blog we will be deploying the following architecture.
RDS instance in the Provider VPC is private.
A Resource Gateway is created in the Provider VPC. This is the point of inbound traffic into the VPC where the RDS instance resides. A VPC must have a resource gateway if you plan on making resources inside the VPC accessible from other VPCs or accounts.
The resource configuration represents the RDS instance that we want to make accessible to the Consumer VPC. By defining a resource configuration, you can allow private, secure, unidirectional network connectivity to resources in your VPC from clients in other VPCs and accounts. A resource configuration is associated with a resource gateway through which it receives traffic.
In the Consumer VPC, we create a resource endpoint that provides private access to a resource. A resource endpoint can be associated with only one resource configuration. The resource configuration can represent a single resource or a group of resources. In our case the resource configuration represents a single RDS instance.
To implement this solution, you'll need to navigate to this GitHub repository folder where you'll find the deployment instructions to provision all necessary resources using Terraform.
Running terraform apply has an output which shows the commands and password used to connect to the RDS instance. This password is output in plaintext for demo purposes. In a real environment you would use a secrets management tool like HashiCorp Vault or AWS Secrets Manager. In addition, if you are using Terraform to deploy your RDS instance with a random password, you can use the ephemeral resources such that this passwords are not persisted in state.
Terraform apply output
Relevant deployed resources
RDS instance
Navigate to the Aurora and RDS console, choose Databases. Then choose the terraform-* RDS instance to view its connectivity & security options. Optional: Note the VPC ID, and navigate to the VPC console to verify that VPC peering and Transit Gateway is not configured for this VPC.
RDS instance connectivity and security
Resource Gateway
Resource gateway shows the resource configurations associated. Note that the resource configuration of type Child was created automatically after creating the resource configuration of type ARN.
Resource Gateway details
Resource Configuration
Navigate to the VPC Console and under PrivateLink and Lattice, choose Resource configurations. Then choose the rds resource configuration.
Resource ConfigurationsIn the Endpoint associations tab, verify that the resource configuration is associated with a VPC Endpoint. Click on the endpoint ID.
Resource Configuration Endpoint associations
VPC Endpoint
The VPC Endpoint has the following details
Endpoint type: Resource
Private DNS names enabled: Yes
Choose the Associations tab for the VPC Endpoint. Note the value in the DNS Name and Private DNS columns.
Resource Endpoint - Endpoint associations
Security Groups
The architecture diagram shows the security groups and their rules that allow traffic from the EC2 instance to the RDS instance through the Lattice Resource Endpoint and the Resource Gateway.
RDS Instance security group allows inbound traffic from the Resource Gateway security group on the database port
Resource Gateway security group allows outbound traffic to the RDS Instance security group on the database port
Resource Endpoint security group allows inbound traffic from the EC2 Client security group on the database port
EC2 Client security group allows outbound traffic to the Resource Endpoint security group on the database port
Architecture diagram with Security Groups
RDS Security Group
RDS Security Group has an inbound rule that allows traffic on the database port from the Resource Gateway Security Group
RDS Security Group Inbound RulesRDS Security Group does not have any outbound rules
RDS Security Group Outbound Rules
Resource Gateway Security Group
Resource Gateway Security Group does not have any inbound rules
Resource Gateway Security Group Inbound RulesResource Gateway Security Group has an outbound rule to the RDS Security Group on the database port.
Resource Gateway SG Outbound
Resource Endpoint Security Group
Resource Endpoint Security Group has an inbound rule that allows traffic on the database port from the EC2 Client Security Group
Resource Endpoint Security Group Inbound Rules
Resource Endpoint Security Group does not have any outbound rules
Resource Endpoint Security Group Outbound Rules
EC2 Client Security Group
EC2 Client Security Group does not have any inbound rules
EC2 Client Security Group Inbound Rules
EC2 Client Security Group has an outbound rule to the Resource Endpoint Security Group on the database port. The other rule that is seen is there to download postgresql and connect to session manager.
EC2 Client Security Group Outbound Rules
Testing
Navigate to the EC2 console and view the Running instances. Check the checkbox next to the ec2-client EC2 instance and choose Connect.
EC2 Instances ConnectChoose the Session Manager tab and choose Connect
Session Manager Connect
Test using the RDS endpoint
Run the following commands to connect to the RDS Postgres instance. Replace <REPLACE> with your RDS endpoint retrieved from the verify resources section.
Then enter the password when prompted. This establishes a connection to the RDS instance via the Lattice Resource Endpoint.
psql connect to rds endpointOnce connected you can play around with various SQL commands. For example:
psql connect to rds endpoint sql command
Test using the Resource Endpoint DNS Name
In this test we will use the VPC endpoint DNS Name to connect to the RDS instance.
Run the following commands to connect to the RDS Postgres instance. Replace <REPLACE> with your Resource endpoint DNS Name retrieved from the verify resources section.
Then enter the password when prompted. This establishes a connection to the RDS instance via the Lattice Resource Endpoint.
psql connect to resource endpointOnce connected you can play around with various SQL commands. For example:
psql connect to resource endpoint sql command
Conclusion
In this first instalment of this three-part series, I've demonstrated how Amazon VPC Lattice Resource Endpoints provide an elegant solution for cross-VPC database connectivity. This approach simplifies your architecture by eliminating the need for traditional networking constructs like VPC peering, Transit Gateway, or site-to-site VPNs.
Check out the other parts of the series that showcases the various patterns to connect your resources using Amazon VPC Lattice at the following links:
